Securing Network Access with 802.1X, Radius, and LDAP

SHUTTING OUT STRANGERS

Author(s): MICHAEL SCHWARTZKOPFF

The Radius protocol is typically used to authenticate users in dial-up scenarios. But Radius is also useful in LAN environments: in combination with 802.1X, Radius forces users to authenticate at a low level before the switch opens up a port.

Attacks from internal networks are dangerous and more difficult to prevent than external attacks. An attacker who plugs in to an internal network with a laptop gains wide-ranging access to network data. One way of preventing an attack is to implement an authentication function in OSI Layer 2 using the 802.1X [1] protocol. An 802.1X-capable switch and a Freeradius server are all you need to implement Layer 2 authentication. Because Layer 2 authentication operates at the level of the local, physical network, it prevents an intruder from even using the physical network without authentication. Radius (Remote Authentication Dial-in User Service Protocol) responses from a Linux server typically include the IP address and standard gateway for the user, but the protocol has more potential. You can use a Radius server to assign a VLAN to the user’s switch port. This technique avoids the need for a complex router infrastructure, but still restricts the size of the broadcast domain.